How to Formulate Your BSA/AML Policy for Bank Due Diligence
Embarking on the journey of launching a fintech or tech company as a founder can be both exhilarating and challenging, especially when integrating a financial product into your existing customer offerings. At this crucial phase, the key lies in securing a reliable bank partner who will sponsor your financial products through a Banking as a Service (BaaS) model. This critical bank partnership not only ensures credibility and regulatory compliance but also opens up avenues to new revenue streams and the ability to deliver enhanced value to your customers.
This article aims to provide fintech founders and operators with a fundamental grasp of how to meet a bank partner’s Bank Secrecy Act and Anti-Money Laundering (BSA/AML) policy requirements. Understanding and aligning with these foundational principles is crucial for successfully collaborating with your bank partner while ensuring compliance with regulatory standards.
Anti-Money Laundering - Developing your BSA/AML program
Assuming your discovery conversations with the prospective bank partner went well and they want to continue the discussion (congrats, those aren’t easy!), you can expect to receive a due diligence questionnaire and document request list. At the top of this list will be a request for the fintech’s ‘BSA/AML Program.’
Now this might be your first time hearing these vitally important acronyms, and that is okay (unless your background is in compliance), but how you respond to that ‘BSA/AML Program’ request can ultimately determine whether the bank thinks your fintech is ready to meet the regulatory compliance requirements of a financial service company. If the bank doesn’t think you're ready, they will likely choose not to move forward with the partnership.
Key components of your BSA/AML policy
So why is your future bank partner asking you about a BSA/AML policy?
In 1970, Congress passed the Bank Secrecy Act , which put obligations on banks to establish and maintain programs for detecting and reporting potential money laundering and suspicious financial activity. For the past 50+ years, banks have sought to meet the regulatory requirements of the BSA, and other federal and state regulations, through the establishment of BSA/AML Programs.
In BaaS partnerships, the banks are ultimately responsible as the regulated financial institution for ensuring their fintech partners have AML controls in place to comply with bank regulatory requirements. Generally, this means the fintech partner builds an AML Program that closely resembles that of the banks, beginning with the BSA/AML Policy.
Let's delve into the key components of your fintech’s BSA/AML Policy — which will be purpose-built to meet bank partner expectations. These sections follow the conventional sequence found in a policy document:
BSA/AML Policy Statement & Scope
- This should include information on your fintech — its products and customers, its relationship with its bank partner (and middleware, if applicable) — along with an affirmative statement that your fintech (including its senior management) is committed to complying with all applicable federal and state AML laws and regulations. The scope should outline who is covered by the Policy, including the fintech and its affiliates, products/services, personnel, agents, directors, and third-party service providers.
BSA/AML Policy Governance
- Governance focuses on who is responsible for the content and maintenance of your Policy. This should include the ultimate approval authority (e.g., Board of Directors), party responsible for implementation/updates (e.g., AML Officer), how often the Policy is reviewed/approved (e.g., annually), and who should have access to the Policy (e.g., all fintech employees). While these titles can vary, the components themselves are required. Further elaboration is available in the subsequent section dedicated to program elements.
- This section should detail what laws apply, basic definitions of key terms (e.g., what is money laundering?) and relevant regulators that promulgate and enforce the AML compliance requirements and who are the recipients of regulatory reports, like the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC).
Risk-Based Approach (BSA/AML Risk Assessment)
- The risk assessment is the basis from which your fintech will build its risk-based BSA/AML Program, specifically tailoring it to the unique risks of your products/services, customers, channels, and operating geographies. The Policy should include a commitment to complete this process, as well as outline the cadence for updating the risk assessment (e.g., annually and in response to significant changes to your fintech’s business).
BSA/AML Program Elements (the heart of the BSA/AML Program)
- Board/Management Oversight: Establishing strong board and management oversight ensures commitment and accountability at the highest level, emphasizing the importance of a culture of compliance throughout the organization.
- Designation of BSA/AML Officer: Assigning a dedicated BSA/AML Officer is crucial for centralizing responsibility, overseeing program effectiveness, and acting as a point of contact for the bank partner and other key stakeholders. This is a regulatory requirement for the banks and often a contractual requirement between the partner bank and fintech.
- Policies and Procedures: Documenting clear and comprehensive policies and procedures guides your personnel in adhering to BSA/AML requirements, promoting consistency and reliability in compliance efforts across the organization. These are key ways to evidence to your bank partner that the fintech has developed, operationalized, and documented its BSA/AML Program.
- Customer Identification Program (CIP): The initial stopgap to ensure your fintech and its users are safe, CIP is the requirement to form a reasonable belief of all customer identities prior to onboarding. In addition to establishing the CIP, the Policy should also indicate your fintech will provide adequate notice to prospective customers on why their information is being collected at the time of onboarding.
- Know Your Customer (KYC) / Know Your Business (KYB): KYC and KYB processes implement your CIP requirement and should describe how your fintech is verifying the identities of your consumer and/or business customers, such as through the use of non-documentary (using a third-party verification provider) or documentary verification (collecting and manually verifying customer information).
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): CDD is how your fintech builds a comprehensive profile of its customers, through the assignment of risk (i.e., customer risk rating), understanding the nature and purpose of the relationship, and ongoing monitoring for unusual activity. For business customers, CDD also means collecting beneficial ownership information of the legal entity. For higher-risk customers, EDD is the process by which your fintech can take additional measures to evaluate and mitigate the risk of these customers, such as requesting supplemental information from the customer and heightened ongoing monitoring.
- Suspicious Activity Monitoring and Reporting: Once customers are onboarded, their interaction with your product must be monitored for unusual activity, including transactions, profile changes, and interaction with fintech personnel. The Policy should describe the processes of monitoring activity and escalating potentially suspicious activities to your bank partner for the ultimate determination of whether a Suspicious Activity Report (SAR) filing is necessary (as the regulated institution, only the bank will have the ability to submit SARs directly to FinCEN). This should also identify a transaction monitoring tool that you leverage to detect anomalies in transactions and patterns.
- Currency Transaction Reporting: Currency Transaction Reporting is the bank’s regulatory requirement to report currency transactions exceeding specified thresholds to FinCEN (e.g., cash deposits over $10,000). While it may be less likely that your fintech will facilitate cash transactions, it should still be included as part of your Policy–even if just to state that this reporting regime does not apply to your financial products.
- 314(a) Information Sharing: The mandatory 314(a) information sharing program requires financial institutions to respond to law enforcement requests seeking information related to an investigation of money laundering or terrorist financing. The fintech’s Policy should indicate that it will support the bank’s processes for responding to these requests, as the fintech (unless a regulated institution) is not likely to be subject to 314(a) directly.
- 314(b) Information Sharing: The voluntary 314(b) information sharing program enables secure information sharing among financial institutions, enhancing the collective ability to identify and combat money laundering risks. Your Policy should indicate whether your company and/or bank partner have opted-in to the voluntary 314(b) program, and if so, indicate that processes will be established to effectively and safely engage in this information-sharing activity.
- Subpoenas, Law Enforcement, National Security Letters: The Policy should include information on establishing procedures for handling subpoenas, law enforcement requests, and national security letters, including how the fintech will ensure compliance with legal requirements while safeguarding sensitive information.
- Sanctions Screening, Monitoring, and Reporting Processes: While US sanctions regulations promulgated by the OFAC are distinct from the BSA, they share similar compliance controls and are often bundled into one comprehensive BSA/AML and OFAC Compliance Program. The fintech’s Policy should identify the fintech’s commitment to implementing screening, monitoring, blocking, and reporting processes to meet OFAC and bank requirements.
- Training: Banks expect fintech partners to provide regular BSA/AML training for employees, which is essential for building awareness, understanding regulatory requirements, and fostering a culture of compliance within the organization. The Policy should include who is subject to training, training content requirements, and how often training should be conducted (e.g., at the time of hire, annually and specialized ad hoc training, as needed).
- Oversight of Servicers: Where third-party service providers are utilized to operationalize the BSA/AML Program, the fintech must ensure these servicers adhere to its BSA/AML standards, mitigating risks associated with outsourcing these processes. This Policy statement and its operationalization will share commonalities with the fintech’s Third-Party Risk Management Program (a separate compliance process vital to the success of bank-fintech partnerships.)
- Independent Testing: Independent testing and audits evaluate the effectiveness of your fintech’s BSA/AML program, identifying areas for improvement and ensuring ongoing compliance with bank expectations. The Policy should include a commitment to conduct these activities on a regular cadence and incorporate findings/feedback into remediation of any issues.
- Recordkeeping: The BSA requires financial institutions to maintain records of its compliance related processes, such as customer information, regulatory reports, transactions, and more. The fintech’s Policy should include a commitment to maintaining a comprehensive audit trail and meeting regulatory requirements for data retention, including the specific periods of retention for different types of records.
BSA/AML policy implementation
Great! You now know the basic elements of a BSA/AML Policy and are ready to fully check-off the bank’s ‘BSA/AML Program’ request. This doesn’t have to be intimidating though - you can get help formulating and implementing the Policy from your bank partner, outside compliance advisors, internal compliance staff, and other resourcesB
Remember, the BSA/AML Policy is just the start to building out a bank diligence-worthy BSA/AML Program. From a documented BSA/AML Policy comes obligations to operationalize it, run it, staff it, test it, mature it, and audit it. A strong AML Policy can’t do these things for you, but it can put your fintech in a strong starting position with your prospective bank partner, setting the stage for a long, fruitful, and safe partnership.